Security

(public)

User Story

Many extensions inject HTML into pages, including sometimes <script src=http://example.org/some-script.js>. When a non-HTTPS script reference is injected into an HTTPS document like this, the security of the affected page's origin is significantly reduced, since it becomes vulnerable to a MITM replacing the benign insecure script with malicious code.
Consequently, we should block addons that attempt to inject references to insecure resources (including <script>, <link rel=stylesheet>, font-src, etc.) into HTTPS pages.
When such an issue is found in an addon, we should let the addon author know about free ways to obtain an SSL certificate. E.g., refer them to http://www.godaddy.com/ssl/ssl-open-source.aspx and http://www.startcom.org/?app=14&rel=10.

We already have policies against injected insecure content in secure pages, and injected scripts in general. If you find any cases of add-ons on AMO that don't follow these policies, please let us know.